Homeland Security officials who defied Congress and misled the public by creating secret files on American citizens while testing a new passenger screening program may have engaged in multiple counts of criminal conduct, and at least one employee has already lied to cover-up the misdeed.

These announced violations of the Privacy Act add yet another chapter to the increasingly repetitive story of the TSA's sloppy data practices, disregard for the nation's privacy laws, and false statements to the American public, Congress and the media.

[...]

TSA officials, including Secure Flight program manager Justin Oberman, are now working furiously behind the scenes, using words like "unsurprising," to downplay the extent of their wrongdoing to Congressional investigators, journalists, and civil liberties groups.

But the misconduct actually pertains to the crux of earlier official notices that promised that the agency would never get a hold of commercial data during the tests, according to Peter Swire, a law professor and the former top Clinton Administration privacy official.

"The use of commercial data was the single biggest issue in this system of records," Swire said. "It was at the center of Congressional debate; it was the topic of extended discussion by the agency, and an intentional, systematic violation of that promise is a big deal."

"This was likely a criminal violation," Swire said. "If the agency can ignore that sort of promise that would undercut the entire Privacy Act."

The most breathtaking privacy violation: TSA massively expanded the scope of the private information collected for testing Secure Flight.

TSA had initially said, "Individuals subject to the data collection requirements and processes of Secure Flight are persons who traveled within the United States during June 2004, the pre-selected 30-day period."

During actual testing, however, TSA's contractor picked 42,000 names from the list of June air travelers, and for each of those names "created up to twenty variations of a person's first and last names" -- meaning that it submitted an extra 240,000 new names to three commercial data brokers (Acxiom, InsightAmerica, and Qsent).

TSA didn't say how many of these 282,000 names yielded commercial dossiers. But it's clear that personal information about many tens of thousands of people who didn't even fly in June 2004 was turned over.

Moreover, the commercial data brokers handed over people's Social Security numbers without even being asked; the revised SORN/PIA states: "In some cases the commercial data aggregators provided information that [TSA contractor] EagleForce did not request, such as social security numbers, due to the way the commercial data aggregators packaged their product."

All of this violates the Privacy Act, under which agencies must give public advance notice of "the existence and character" of any system of records that stores personal information. 5 U.S.C. ? 552a(e)(4). Failure to do so can, in theory, subject agency officers or employees to criminal penalties. 5 U.S.C. ? 552a(i)(2) ("Any officer or employee of any agency who willfully maintains a system of records without meeting the notice requirements of subsection (e)(4) of this section shall be guilty of a misdemeanor and fined not more than $5,000.")

It should be clear that "commercial data" is the devil's candy for passenger screening true believers, who seem to have vowed that "if only we could get just a few more data points, we'll show them that Secure Flight works."

This should be TSA's last lie -- and the last time a government agency strips us of our privacy for this disastrous program.

Related Updates

There is a new gold standard in the movement to require transparency and community engagement before local police departments are permitted to acquire or use surveillance technology. Oakland’s Surveillance and Community Safety ordinance builds upon the momentum of several cities and counties that have enacted laws to protect their...

In recent years, protesters have come face to face with police forces that are increasingly well-equipped with battlefield surveillance technologies. That’s because U.S. police are getting more and more equipment from the U.S. military—including sophisticated surveillance equipment. The trend has led to disturbing scenes like those from 2014 protests...

The Supreme Court unanimously ruled yesterday in Byrd v. United States that the driver of a rental car could have a reasonable expectation of privacy in the car even though the rental agreement did not authorize him to drive it. We’re pleased that that the Court refused to let...

On Thursday, EFF released a new version of Privacy Badger featuring a new, experimental way to protect your privacy on—and crucially, off—Facebook. It specifically targets link tracking, Facebook’s practice of following you whenever you click on a link to leave facebook.com. Download Privacy Badger What is link tracking...

Do you use Verizon, AT&T, Sprint, or T-Mobile? If so, your real-time cell phone location data may have been shared with law enforcement without your knowledge or consent. How could this happen? Well, a company that provides phone services to jails and prisons has been collecting location information on...

Boston, Massachusetts—The Electronic Frontier Foundation (EFF), the American Civil Liberties Union (ACLU), and the ACLU of Massachusetts won a court ruling today allowing their groundbreaking lawsuit challenging unconstitutional searches of electronic devices at the U.S. border to proceed—a victory for the digital rights of all international travelers. EFF and ACLU...

Washington, D.C.—The Electronic Frontier Foundation (EFF) called on Facebook, Google, and other social media companies today to publicly report how many user posts they take down, provide users with detailed explanations about takedowns, and implement appeals policies to boost accountability. EFF, ACLU of Northern California, Center for Democracy & Technology...

In their effort to prevent states from protecting a free and open Internet, a small handful of massive and extraordinarily profitably Internet service providers (ISPs) are telling state legislatures that network neutrality would hinder their ability to raise revenues to pay for upgrades and thus force them to charge consumers...

EFF, together with 41 national, state, and local civil rights and civil liberties groups, sent a letter today urging the ethics board of police technology and weapons developer Axon to hold the company accountable to the communities its products impact—and to itself. Axon, based in Scottsdale, Arizona, is responsible for...